Product URLs

CVSSv3 Score

CWE

CWE-680: Integer Overflow to Buffer Overflow

Details

libxls is a C library supported on windows, mac, cygwin which can read Microsoft Excel File Format ( XLS ) files. The library is used by the readxl package
that can be installed in the R programming language.

The general purpose of the xls_preparseWorkSheet function is to obtain the maximal size of col and row value from records present in the worksheet and update the lastcol and lastrow fields with that value.
As we can see in lines 1013-1014 an integer overflow can occur. This can have two potential impacts. In one case, the maximum value stored in lastcol will not be updated even if the MULBLANK col field is greater than the value in lastcol.
The other case will result in the lastcol value being updated to the overflowed value.

The malformed MULBLANK record is located at offset : 0xCB1F and looks as follows:

0xCB1F BE 00 20 00 AA AA FF FF

Setting breakpoint at line 1007 we can obtain the following information:

next during the final parsing of the malformed MULBLANK record in xls_addCell, an out of bound write occurs because the col value being used as index for the cell array is greater than amount of allocated elements for that array.